AWS Shared Responsibility for Compute

If you are using Amazon Web Services (AWS) to run your applications in the cloud, you need to be aware of the AWS shared responsibility model. This model defines who is responsible for what when it comes to security and compliance in the cloud.

What is the AWS shared responsibility model?

The AWS shared responsibility model is a way of dividing security and compliance duties between AWS and the customer. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities . The customer is responsible for the data and applications they run on AWS. The model can vary depending on the service deployed .

Why is the AWS shared responsibility model important?

The AWS shared responsibility model is important because it helps customers understand their role and obligations in securing their data and applications in the cloud. By following this model, customers can benefit from the security and compliance features that AWS provides, while also maintaining control over their own content and configuration.

How does the AWS shared responsibility model apply to compute services?

Compute services are services that provide computing resources for running applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), AWS Lambda, and AWS Fargate. Depending on the type of compute service, the customer’s responsibility may vary.

For example, for Amazon EC2, which is categorized as Infrastructure as a Service (IaaS), the customer is responsible for managing the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as AWS Lambda, which is categorized as Function as a Service (FaaS), AWS operates the infrastructure layer, the operating system, and platforms, and customers only need to provide their code and configure their function settings.

In general, for compute services, AWS is responsible for the security of the cloud, which includes:

  • The hardware, software, networking, and facilities that run the compute services
  • The protection of the global infrastructure that supports the compute services
  • The isolation of the customer’s compute resources from other customers
  • The encryption of data at rest and in transit within AWS

The customer is responsible for the security in the cloud, which includes:

  • The data and applications they run on the compute services
  • The encryption of data at rest and in transit outside AWS
  • The management of their AWS account credentials and IAM users and roles
  • The configuration of their compute resources and security groups
  • The logging and monitoring of their compute activities with AWS CloudTrail

Conclusion

The AWS shared responsibility model is a concept that helps customers understand their role and obligations in securing their data and applications in the cloud. By following this model, customers can leverage the security and compliance features that AWS provides, while also maintaining control over their own content and configuration. For compute services, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud.